Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
lucene-solr_3.6.1+dfsg-1_amd64.changes ACCEPTED into experimental
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 21 Nov 2012 09:31:05 + Source: lucene-solr Binary: liblucene3-java liblucene3-contrib-java liblucene3-java-doc libsolr-java solr-common solr-tomcat solr-jetty Architecture: source all Version: 3.6.1+dfsg-1 Distribution: experimental Urgency: low Maintainer: Debian Java Maintainers pkg-java-maintainers@lists.alioth.debian.org Changed-By: James Page james.p...@ubuntu.com Description: liblucene3-contrib-java - Full-text search engine library for Java(TM) liblucene3-java - Full-text search engine library for Java(TM) liblucene3-java-doc - Documentation for Lucene libsolr-java - Enterprise search server based on Lucene - Java libraries solr-common - Enterprise search server based on Lucene3 - common files solr-jetty - Enterprise search server based on Lucene3 - Jetty integration solr-tomcat - Enterprise search server based on Lucene3 - Tomcat integration Changes: lucene-solr (3.6.1+dfsg-1) experimental; urgency=low . * New upstream release. * Add dependency on JDK for solr-jetty (LP: #1046732): - d/control: Add extra Depends on default-jdk | java5-jdk as jetty requires a full JDK to support use of JSP's which solr uses. Checksums-Sha1: 5ae2d3af3ad43d970dd8f37afd5b69963123a1d6 3136 lucene-solr_3.6.1+dfsg-1.dsc 5c86865d257f9cfccda22d036fff3d78de707a65 24933544 lucene-solr_3.6.1+dfsg.orig.tar.xz e77fb9acb1c7f69ec69c1b50b087a5fbd208d082 45367 lucene-solr_3.6.1+dfsg-1.debian.tar.gz 7ab81003f86e5511611a7ea07ba4f7e5464004bb 1515146 liblucene3-java_3.6.1+dfsg-1_all.deb d43c1d6e55f25e1c950e412ca4b2fb2905b42a13 11137098 liblucene3-contrib-java_3.6.1+dfsg-1_all.deb 1197ee15dd1b1fa64cccfe417ec1b980d120e97a 9681960 liblucene3-java-doc_3.6.1+dfsg-1_all.deb 3d4dfe02d1a3654663e857e49195fbe2a018a763 2030446 libsolr-java_3.6.1+dfsg-1_all.deb 5b4b0646caaf1fa6ee68aef2a1687a3225be17fc 170624 solr-common_3.6.1+dfsg-1_all.deb 1a385ee1a3e0e9768a67b42180f8dee1be7cfd80 8028 solr-tomcat_3.6.1+dfsg-1_all.deb cdf0be490b69ca72e97835e98f1653f4d4edccd1 7602 solr-jetty_3.6.1+dfsg-1_all.deb Checksums-Sha256: ebfd3e6dfed04e5c5ddaebab7cc89c7295dc9bcd7ebfcbaea94143497d7bfdb7 3136 lucene-solr_3.6.1+dfsg-1.dsc 8346a790ea0afadcc80d0f6ccebe26423e946e9f6b40c57e1f05a557bf2be56d 24933544 lucene-solr_3.6.1+dfsg.orig.tar.xz ae502c2e1ebd5953ca4039404103aa3c2281b2e9cf1fdd4ac32678950911bdba 45367 lucene-solr_3.6.1+dfsg-1.debian.tar.gz 7f2900a50841247448ee46ab7f54505131b9e900dabbda99ed926c46c11331e2 1515146 liblucene3-java_3.6.1+dfsg-1_all.deb 3e3aae0774b00274c4cf5925e45ec1202fc5c55c43c5527f74280d3085cc1008 11137098 liblucene3-contrib-java_3.6.1+dfsg-1_all.deb 2c65d241104f9e6d865ed4edeab08f89b95be4f1caa496fdddb63efb0c8168fe 9681960 liblucene3-java-doc_3.6.1+dfsg-1_all.deb dc2abcc601cb4eb2e4ef98d86a5851e982b4c7ffb6d8a6166f26034902ff714b 2030446 libsolr-java_3.6.1+dfsg-1_all.deb e7e8866d2e509abb88fffe6b377f13ca44f62f1257abaf6fa43608a416a63a48 170624 solr-common_3.6.1+dfsg-1_all.deb b83beaece28b4242b7bde41f41681bc020acc303158da1ebc9f0bf105ec22487 8028 solr-tomcat_3.6.1+dfsg-1_all.deb b7b7a26662eaf66d5225339b307d6b6400ba98de8532a6f1f13ba69200a7be9e 7602 solr-jetty_3.6.1+dfsg-1_all.deb Files: d842cacfbc8f63001fe4949557fbd448 3136 java optional lucene-solr_3.6.1+dfsg-1.dsc b829bdd7eb8d53fbbb6941bf30c6ea67 24933544 java optional lucene-solr_3.6.1+dfsg.orig.tar.xz cf5fe4d8fa43450afe0bbad0b942041f 45367 java optional lucene-solr_3.6.1+dfsg-1.debian.tar.gz 006755d5b483740c4f622984df540f73 1515146 java optional liblucene3-java_3.6.1+dfsg-1_all.deb c1b62751362abb09058b0e8bb2b504dd 11137098 java optional liblucene3-contrib-java_3.6.1+dfsg-1_all.deb b1375df38ae5fdd1089cca33bfc14bae 9681960 doc optional liblucene3-java-doc_3.6.1+dfsg-1_all.deb 133909a92d13a600e6a9a794d60d8f1e 2030446 java optional libsolr-java_3.6.1+dfsg-1_all.deb 235d82e1c9e3dee025db8f8bc1f015ff 170624 java optional solr-common_3.6.1+dfsg-1_all.deb 70a87544b00321c41d13a0f8f3e32ad6 8028 java optional solr-tomcat_3.6.1+dfsg-1_all.deb 8e1f63bf9efeec3bf26977cd90dba537 7602 java optional solr-jetty_3.6.1+dfsg-1_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJQrKVsAAoJEL/srsug59jDuXgQAJWjVCJUdGd0HhZ5fRIC9BLo Vm7lcfIZMIUtBYiW+xHNpZbUCl2pcnpsWkracdL8D1bxtD5kb92w5sGf4BPTNIXo PqVAQzMeHb/cK/TJMqQ6nmQ2rZOcNvBqr8uL3wxMzjFU7M3qGeTjIm1Ov32rycpf LKfcXiJ0hjg88Msc7TiOKJzkgdwabzqqsGS7OIjyNfBsiwFZD8Rz9SU9ZtKvicvP iYYfBgkMJE6aF0yMfOADEzsPjxvWdD4xVXYCMtMSZNJUbx/ZhPRQImDodsOjhZXq FozUd3kO+kMM0xz0ggVB+whjpcwuNPhAqeV0LPxwoR8dp+XfLefkZcLmFjnMxcHl PLbaR7vpTkqFuhqN4bppxc9FwQafxFdWDcrC3Jj0nPt6HUUPfnMD1DY3Fi7WeDfP xPlTYltN4QDf4Bb+NB739rrgrfgdig3b71bwI8dJh2hpKDRwrVFTcNoT4VxoORxV seegkbts4HGTuUxPyP9U/rkaK4kU9e6qUsWROpMBdgNqfJ1EoALiN2qDEfh52A9Y 7qP6tIf85SR2tmz/LQnNj1QhCW9jYa48mv71wPPnEUO+95PPXWlmdHNngLxDu+t8 Yb7xStu/olPqOv3P3zOgNpnD1M7iWKNoNZ1Tuq1LOo21MPM7LHllKm0ViI5agZ4l SN/55Etc/FbPezWYaDZI =tlcf -END PGP
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Mike, I don't understand what you expect from me. I've uploaded the patches to the BTS, I don't know what next steep is. I suppose a maintainer would pick it from there. If there's something I can do let me know. Thanks, Alberto El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike Hi Mike I've read your tip again. Sorry for not understanding in the first time. I'll prepare the patch again upstream, and post it on their BTS. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: patch upstream
Here is the patch posted to upstream: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692650: patch
patch posted upstream: https://issues.apache.org/jira/browse/AXIS-2883 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.